Forgot your password?
typodupeerror
Privacy Security Apple Your Rights Online

FBI Investigating iPad E-Mail Leaks 209

Posted by timothy
from the seeking-cause-of-action dept.
CWmike writes "The Federal Bureau of Investigation has opened an investigation into the leak of an estimated 114,000 Apple iPad user e-mail addresses. Hackers belonging to a group called Goatse obtained the e-mail addresses after uncovering a web application on AT&T's website that returned an iPad user's e-mail address when it was sent specially written queries. After writing an automated script to repeatedly query the site, they downloaded the addresses, and then handed them over to Gawker.com. Now the FBI is trying to figure out whether this was a crime. US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."
This discussion has been archived. No new comments can be posted.

FBI Investigating iPad E-Mail Leaks

Comments Filter:
  • Re:assholes (Score:3, Interesting)

    by $RANDOMLUSER (804576) on Thursday June 10, 2010 @10:31PM (#32531494)
    I think "embarrassing the FBI's (corporate) domestic surveillance wing" is the crime being investigated here.
  • This isn't so simple (Score:4, Interesting)

    by tpstigers (1075021) on Thursday June 10, 2010 @11:21PM (#32531766)
    What if some of those 114,000 iPad users live in Massachusetts? http://yro.slashdot.org/story/10/04/25/1745210/Mass-Data-Security-Law-Says-Thou-Shalt-Encrypt [slashdot.org]
  • by KingSkippus (799657) on Thursday June 10, 2010 @11:25PM (#32531780) Homepage Journal

    They may have discovered it, but they didn't report it to AT&T.

    ...According to AT&T. Someone is lying. From TFA [gawker.com]:

    Goatse Security notified AT&T of the breach and the security hole was closed.

    Then later in the article:

    AT&T sent us a statement...: "The person or group who discovered this gap did not contact AT&T."

    Personally, I think that AT&T is a sack of douchebags that doesn't know their ass from a hole in the ground, and when choosing who to believe between AT&T and just about anyone else, I'm inclined to believe anyone else. I'd bet dollars to doughnuts that someone did indeed notify AT&T, but now they're trying to cover their ass and make it sound like they somehow proactively found the hole themselves.

  • by Anonymous Coward on Thursday June 10, 2010 @11:38PM (#32531860)

    If it was any other company I'd agree with you, however this is Apple, and the fact that they tightly control who sells their product and how, I would expect some kind of oversight. You think if Vodafone got a bunch of iPads and was selling them at $1 on a 5 year plan that apple wouldn't shit itself?
    They got themselves into their own self policed walled garden, now they have to deal with it. It was a security breach at a carrier inside the walled garden... deal with it.

    And yes, email addresses are valuable information. Sure, not as bad as SSNs, but would you post your email address on a billboard? Why do you think websites, companies etc keep their customer emails under lock and key? because it's a valuable information

  • Re:No relation (Score:2, Interesting)

    by penix1 (722987) on Thursday June 10, 2010 @11:42PM (#32531886) Homepage

    US law prohibits the unauthorized accessing of computers, but it is unclear whether the script that the Goatse group used violated the law, said Jennifer Granick, civil liberties director with the Electronic Frontier Foundation. 'The question is, when you do an automated test like this, [are you] getting any type of unauthorized access or not,' she said. If it turns out the data in question was not misused, it is unlikely that federal prosecutors will press charges, she added."

    There is a problem with that line of logic. As I see it,IANAL and all, they got them on at least one violation of the law. That violation was the initial intrusion which they can't argue was a script. Also, since when is an intrusion with the intent to obtain information they should know they are not entitled to considered a "test"?

  • Re:No relation (Score:3, Interesting)

    by aliquis (678370) <dospam@gmail.com> on Friday June 11, 2010 @12:18AM (#32532018) Homepage

    Uhm..

    They aren't arguing that the script may not be unauthorized access because it was automatic and that only the first attempt would be illegal because they did it in person.

    They where rather arguing that visiting that page once and get an e-mail address may be something you just happen to do, but writing a script which fetches lots of e-mail address would be abusing the system / doing something you shouldn't do.

    Personally I think "they should know they are not entitled to" is very weak juridical term/claim/charge/whatever. I can't see how visiting a web page which return data it's supposed to return (as in not trick it with malign data) could be a crime. If you don't want people to access the web page don't put it up for them to watch.

    And yeah, if anything I think AT&T would become the ones in the hot seat for making it possible and leak the information in first place.

  • Re:No relation (Score:4, Interesting)

    by vivian (156520) on Friday June 11, 2010 @01:31AM (#32532350)

    I dont entirely disagree with you, but I think at the end of the day, whether it could be considered cracking or not depends on the intent of the owners of the site.

    You could argue that the web pages were not ever intended to be accessed in the way that they were, because firstly the site's owner does not provide direct orindirect links to those pages, and secondly, the URL's used to get to the page are obviously being used as an extraordinarily weak form of secority (ie. through obscurity).

    Now that is just plan stupid on behalf of AT&T, but so is having your email password set to "12345", yet if someone accessed your email or other system you owned through by going to the login screen and guessing your password, or writng a script to try obvious passwords, it would certainly be considered hacking - because that person has not been authorized to have access to that system.

    At the end of the day, it is the courts and possibly a jury that will determine whether this is considered a hack (in the system cracking sense). Since the goatse security guys obviously do not actually have a legitimate reason to access any of those pages of info, and they are using a script to do the accessing in a way that is a litle similar to how password guessing programs work, I would say that this will eventually be considered a hack, by the court system.

    If the justice system court can convict a someone of murder even without an actual murder weapon, witness or definitive motive (Not thinking of a particular case, but I am sure there are plenty) , I am pretty sure it wont have too much trouble nailing these guys for hacking if it so wishes.

I'm all for computer dating, but I wouldn't want one to marry my sister.

Working...